Ordinary emails are sent as plain text documents, so sensitive information can easily be intercepted by third parties. Anyone sending emails containing credit card numbers, social security information or proprietary business knowledge should encrypt these messages using asymmetrical encryption, which uses a key pair consisting of public and private keys.

As opposed to symmetrical encryption, which uses a single key for encrypting and decrypting files, asymmetrical encryption restricts the number of people who can receive a message to those in possession of a private key. Symmetrical encryption is useful for protecting sensitive files with a password when only one person or a dedicated group of people uses those files. However, it presents risks when multiple people have the same password for decrypting the files.

A better method of email security relies on a key pair with the decryption key (secret key) is never made public. Each person in the network of communication provides a public key to the others. To send a message to one person, the sender encrypts the message using the recipient’s public key. At this point, even the person sending the message can’t decrypt it, unless he puts his name on the list of recipients and encrypts to himself. Only the people on the list of eligible recipients can decode the message using their private keys.

For any company concerned about internet security, the OpenPGP standard provides the ideal way to encrypt messages directly within a mail client. OpenPGP software, such as gpg4o, which supports Outlook, Exchange and alternative Mailservers like Kerio Connect or Zarafa, generates a security certificate containing public and private keys. Not even the NSA can read messages encrypted with PGP, unless they somehow get their hands on the private key plus the passphrase. However, when a keypair becomes compromised, it can be revoked so that messages can no longer be decrypted using the private key.

One consideration to make before encrypting emails is that the certificate is set to expire at a safe time in the future. It’s not necessary for a certificate to expire, but if one does, all parties in the network of communication must know of the date so that they don’t continue to encrypt messages using an expired key.

Another consideration is that all parties must have the necessary software for encrypting and decrypting messages. Once these requirements are met, each recipient can be sure that the message he receives comes from the person who signed it. OpenPGP encryption provides simplicity, security and authenticity with no need to worry.